Strona głównaBlogHow to Protect Your Company Against Ransomware?

Czerwiec 9, 2017 Technologie

How to Protect Your Company Against Ransomware?

Reading Time: 7 minutes

In the last few weeks, the streak of incidents involving WannaCry ransomware shook various media outlets. The malicious software encrypted a multitude of computers all around the world, paralyzing the workflow of numerous companies across industries. The attack again brought to attention the growing danger of digitally stored data.

Even though the destructive power of WannaCry ransomware was stopped relatively fast, WannaCry is just a drop in the ocean of other malicious software that targets numerous personal and corporate computers every day. On average, a ransomware attack on a company occurs every 40 seconds and every 10 seconds on an individual user.

To help you and your company deal with ransomware and minimize the damage, let’s take a closer look at what exactly ransomware is and how to prevent it.

What Is Ransomware?

Ransomware is a type of malicious software that encrypts data on a hard drive, demanding ransom from victims to decrypt it. With ransomware, the attacker doesn’t need to download any of the targeted data. From the attacker’s perspective, it has numerous advantages over other types of attacks.

  • No need to sieve through data to pick valuable chunks of it

  • Automation of the whole process

  • Earning from data that otherwise has no market value (i.e. vacation photos)

  • No need to look for buyers should the data have any value (i.e. intellectual property, confidential customer data)

  • Decreased risk of capture because there’s no direct connection to the targeted device

The above is, of course, the traditional description of ransomware. Currently, however, there are new variations of the malware emerging every day, with types capable of performing data exfiltration.

With so many benefits, ransomware has become one of the most popular malware among hackers in the twenty-first century.

How Does Ransomware Work?

There are many types of ransomware, each exhibiting slightly different behavior once it infects a victim’s computer. For example, ransomware doesn’t always have to block the victim’s data immediately. Sometimes ransomware worm will stay dormant for a while, performing no visible harm on the infected device.

But because you cannot see the damage, this doesn’t mean nothing wrong is happening. The dormant period is often used to infect the device with other malware or to use the infected device to perform DDoS attacks or send out SPAM messages. When the main objective of the ransomware is next in the queue, the malicious software blocks user access to the data by encrypting it and making it impossible for the user to access the data until the hacker’s requests are met.

Ransomware usually encrypts data on a hard drive, but there are types of ransomware capable of encrypting data on external backup devices on the server or data stored in the cloud. When all of the user data is encrypted, a message pops out on the screen informing the user of the attack and a hefty ransom in exchange for decryption. In most cases, it’s the first sign for the user that there’s something wrong going on with the device. Unfortunately, it’s often too late to do something about it. Encryption algorithms that ransomware uses are efficient enough to almost completely prevent the user from accessing the data without the decryption key.

Hackers behind ransomware are cunning and careful not to get caught. To conceal their identity and decrease the risk of capture, the ransom is collected via Bitcoins. Inside the ransom message, there’s usually enough information for even a moderate computer user to learn about the cryptocurrency and pay the ransom. However, as has been observed with WannaCry attacks, many companies across the world failed to pay the ransomware fee simply because their knowledge of Bitcoins and how these payments work was scarce.

Screenshot by Securelist.

WannaCry Mechanism

The history behind WannaCry traces back to 2016 when a group of hackers going by the name of the Shadow Brokers began leaking a number of tools purportedly used by the National Security Agency (NSA). Among the tools was EternalBlue exploit that WannaCry hackers used to design malware able to infect multiple devices by compromising an error in the SMB protocol. Exploiting the error didn’t require user interaction and happened completely unnoticed.

Exploiting various security flaws and vulnerabilities are attack methods currently booming in popularity among hackers. And it was a security flaw that has contributed to the huge success and efficiency of WannaCry ransomware.

Growing Scale of Ransomware Attacks

Beazley, an insurance company handling data breaches, projects to deal with 400 ransomware cases in 2017, compared to 200 in 2016 and less than 50 in 2015. Beazley further reports that these are malware attacks, such as ransomware, that cause the majority of data breaches across many industries, including healthcare, financial, or higher education.

Vulnerability for an attack increases during specific periods in a company’s yearly cycle. That said, busy times, such as quarterly summaries or sales, are periods particularly attractive for attackers. With time pressure and increased workload, it’s easier for an employee to unintentionally open an infected attachment or click on a malicious link.

Attacks also often align with important international events, such as Soccer World Cup or Olympics, when the need for information is at its highest, as is the carelessness to click on something dangerous.

To Pay or not to Pay?

Aside from convenience, ransomware entices hackers with a relatively high percentage of victims who decide to pay the ransom, roughly 40% to 50% of all infected companies, which essentially encourages the hackers to conduct more attacks. Nevertheless, it might be difficult for the victims, especially for companies which rely heavily on their data, to make a conscious decision not to pay the ransom. Often the data ransomware encrypts amounts to weeks, months, or even years of work and its lack can completely paralyze a company or organization.

Another factor influencing the victim’s decision to pay is often the increasingly growing ransom or regular partial data deletion of the encrypted data. Symantec estimated that an average ransom demanded by hackers equaled roughly $679 in 2016, more than doubling since 2015’s $294. The WannaCry ransom fell between $300 and $600.

It’s worth noting here that even if a victim pays the ransom, it doesn’t mean the data can or will be restored.

In fact, a hacker behind a particular attack could have terminated his or hers activity, or worse yet, unblocking the data might not have even been on that attacker’s agenda in the first place. And even if you somehow gain the decryption key to your data, there is no guarantee that your computer won’t be infected again, even with the same ransomware.

Vicious Cycle of Paying the Ransom

If a company decides to pay the ransom, it becomes clear to a hacker that the attack was a success and can be conducted again and again not only on the same company but other companies operating within the same industry. Keep in mind that in the hacker’s world, the word about paying industries and companies travels fast.

Paying the ransomware brings only one definite effect—it’s financing the work and effort of the attacker which in turn gives the perpetrator more time and means to better the malicious software.

How Can You Protect Your Company?

There are many ways in which you can decrease the risk of falling a victim of ransomware or other cyberattacks. Bear in mind, however, that there isn’t a method out there yet that can keep your business one hundred percent safe. The multitude of distribution channels makes malicious software increasingly more difficult to deter or detect in time to save your data.

Step One: Keeping Things Up to Date

In the case of WannaCry, companies and individuals could have avoided the risk of infection by installing Microsoft-provided patches that fixed the security flaw.

That’s why one of the first steps in ransomware prevention is ensuring that all of the software installed on a computer is up to date and with all security patches. Since checking for updates is the easiest step in a journey toward a safe computer, it should become a routine of your IT department.

Keeping software up to date is valid not only for the operating system but also even the smallest applications on the computer. So if your employees are using a software that hasn’t been updated for a few years, you should look for a tool with the same functions but one that is actively updated.

After ensuring all tools and applications are up to date, you should analyze how your employees use their computers and whether they’re cybersecurity-ready.

Step Two: Online Behavior

The risk of becoming a victim of ransomware increases during careless computer usage; usually, it’s entering some shady websites, downloading untrusted software, or opening suspicious emails. That’s why raising cybersecurity awareness among your employees is so important.

Hackers are lurking in the cyber depths, waiting patiently until the victim is careless. Remember, it’s only a matter of one malicious attachment to compromise the data of your company. Regardless of a channel, all suspicious messages should be treated as potentially harmful. An email with an invoice you weren’t expecting, a message with a link to a funny video from a friend you haven’t heard from for a few years, or even a document that needs special permissions to be accessed sent from a coworker. You should alert your employees to see these types of messages as a potential threat and advise them to report any instances of their occurrence. When it doubt, your employees should confirm the message’s validity with the sender via other channels before accessing the message.

Remember that successful ransomware attack puts your company at risk for one thing, but can also be a major reputational risk to your company if the confidential data of your customers leaks into the open.

Cybercrime on the Rise

Criminal groups all over the world are working hard on developing malicious software to monetize their efforts. One massive ransomware attack follows another, often more precise and difficult to detect.

Software developers are constantly working to make their products more secure and antivirus programs are increasingly more resilient against malware, but considering that there are currently so many attack entry points, there’s nothing keeping your company completely risk-free.

Cybersecurity Awareness

Raising cybersecurity awareness, as well as regular training sessions explaining prevention and best practices, should be high on your agenda as a business owner. But one of the best things you can do to stay safe is to have a regular backup copy of all of your company’s critical data. Remember to store that backup copy on a drive that doesn’t have an Internet connection and cannot be accessed by other users or employees. Also, consider investing in a business continuity plan, for that investment can essentially save you a lot of trouble and money in the future.

NOTE: Upon rapidly increasing ransomware incidents, various cybersecurity companies in cooperation with law enforcement agencies have created a website intending to help victimized individuals and companies to recover their data without paying the ransomware. Also, law enforcement agencies are currently focusing their efforts on tracking Bitcoin payments.

Piotr Janek,
Admin at Polcode